Cybersecurity Basics for Property Professionals (BOMA 2024)
High-profile cybersecurity breaches are all over the news, from Target in 2013 to MGM and Caesars in 2023. The threats are out there—but do you know how to defend yourself and your company against them?
No organization is too small to fall victim to a cyber attack, said AJ Gyomber, founder and CEO of Technology Visionaries and a 27-year IT professional who has worked for companies like AT&T, Philips and Motorola. In a Tuesday afternoon session at the 2024 BOMA International Conference & Expo, Gyomber walked attendees through cybersecurity basics that anyone can implement right now to keep themselves or their companies from getting hacked, embezzled or ransomed.
Why Should I Care About Cybersecurity?
Cyber attacks can happen to any person, whether they’re a high-profile individual or not. They can also happen to any business of any size. “It’s relevant for you both personally and professionally,” Gyomber said. “On the internet, you’re either being sold to or your information is being sold—so you should be stewards of your own data. Make sure you’re not giving out information you shouldn’t be giving out. Your job is to protect your data, and in order to do that, you have to have some level of cybersecurity awareness.”
Bad actors use three strategies to gain access to valuable data belonging to people or organizations:
- Ransomware: This is malicious software that encrypts all the data found on someone’s computer or other device, which could contain emails, databases or other important information. “They gatekeep it and want you to pay a ransom to get your data back,” Gyomber explained. The payment typically comes in the form of Bitcoin, which is untraceable.
- Social engineering: The use of deception to manipulate someone into divulging confidential or personal information, which can then be used for fraudulent purposes. One well-known kind of social engineering is phishing, in which someone sends an email or other type of message purporting to be from a reputable company to gain passwords, credit card numbers or other data.
- Brute force hacking: Using techniques to gain access to a network.
Cybersecurity Risks in Property Management
Many property managers don’t work for organizations the size of Target or MGM, but have enormous networks, Gyomber explained. Think of all the connected technology in your portfolio that could be compromised by one employee in your company clicking a link or opening a PDF that they shouldn’t have. “As an organization or an industry, you’re at a unique risk because you’re supporting more than just your office network,” Gyomber said. “You’re supporting entire buildings, and you have tenants that are affected by this as well.”
Property managers also typically work with many third-party subcontractors, who often have access to controls and other building systems so they can maintain them. “You don’t know what their cybersecurity posture is, and now they’re directly connected to your network and creating a risk,” Gyomber said.
Complexity also creates a risk. Your network may have a building management system, point of sale systems, wireless internet in common areas, security cameras, digital signage, water treatment and more. An infection in one system could easily spread to the rest of the network, as with Target’s 2013 attack, in which the network credentials of the retail giant’s HVAC contractor were used to gain access to credit card processing systems. Ultimately, the credit card data of 70 million shoppers was exposed.
There’s more than inconvenience at risk, Gyomber said. Bad actors can wreak havoc inside buildings by doing things like:
- Lowering the temperature of all thermostats, causing pipe freezing and water damage
- Raising the temperature of thermostats, causing equipment overheating, employee complaints or life science issues
- Turning on fire suppression and disabling a data center
- Deleting all the video camera footage, then claiming they slipped and fell in your building
One particularly scary example from Oldsmar, Florida, involved a hacker exploiting an outdated computer system used by the water treatment plant. The attacker raised the levels of sodium hydroxide, which is used in small amounts to remove metals from water, from 100 parts per million to 11,100 parts per million in just a few minutes. Luckily, a plant manager noticed the attack as it was happening and was able to return the levels to normal before major damage occurred. Nevertheless, it underscores how easily and quickly things can go sideways if you’re the victim of a cyber attack.
How to Reduce Your Risk
“The same way my company protects our clients is relevant to how you may protect your family’s information and data,” said Gyomber. “The same thing we do for our police department is the same thing you’d do for yourself. You can mitigate the security risks, but still allow people to do their jobs.”
Review your security practices today with these tips.
Passwords and PINs: “Everything you own should have a password, a PIN code or touch ID,” said Gyomber. Don’t have the opinion that you have nothing to hide or nothing to protect—you do. “If you have your corporate email or personal email on your phone, there’s a lot of data they can hold against you, so you want to make sure everything’s protected with a PIN code or password. Try not to reuse PIN codes,” Gyomber said. “You want to make sure no one can get easy access to it.” Don’t reuse passwords either, he added.
Two-factor or multi-factor authentication: This six-digit code that’s regenerated constantly is another way to keep your systems safe. “When we’re talking about Facebook, LinkedIn or all my email accounts, every single system that allows for [multi-factor authentication], I use it,” Gyomber said.
Encryption: “Make sure your devices are encrypted,” Gyomber advised. “If someone was to gain access to your computer, you’re going to want it to be encrypted so no one can exfiltrate data from that device.” Backups should also be encrypted, and when you’re browsing the internet, look for the lock icon in the browser that indicates a secure socket layer (SSL).
Backups: iOS and Android both have built-in backup software, Gyomber said. Consider also using secure cloud-based backup software, such as Backblaze or CrashPlan, and combine it with local backups on external hard drives that you test regularly. Your IT department should do that for you with your professional data, but on the personal side, you’ll want to do the same thing.
Permissions: Watch when you install new apps to make sure they don’t have access to any part of your phone that they shouldn’t have access to—for example, a game doesn’t need access to your contacts. Whenever you download software to your computer, ensure that you’re downloading it from the authentic manufacturer website—it’s not always the first search result.
Updates: Keep current with any patches issued for your hardware or software. Don’t let your systems run without being patched. These updates aren’t just about performance—they’re also addressing security vulnerabilities.
Password management: Consider using a password manager that generates new, secure passwords for you and keeps them in a vault. Password managers are available for computers, phones, tablets and more. In addition to being highly secure, it’s also convenient—the only password you’ll have to remember is the one that unlocks the password manager. This is much more secure than saving passwords in your browser.
Email security: Never use your personal email for business. Use scam filtering software for your personal email—your IT department probably takes care of this for your professional email. “If you get a UPS invoice and you mouse over the master link and it doesn’t look like UPS, stop,” said Gyomber. “Send it to your IT department and don’t click it. That’s how they get in.” The same applies to opening a PDF where you don’t recognize the source—PDFs are the entry point for a surprising number of breaches, Gyomber said.
“You’re part of the security team. You’re the entry point in most cases,” Gyomber said. “Be slow to click on a link in your email. Mouse over every link before you click on it.” It’s easy to develop alarm fatigue and we’re inundated with alerts and notifications, but your safety is worth the work.
“You may think that this doesn’t apply to you, but it does,” Gyomber added. “There’s a common misconception that we’re too small, we’re not a target. You’re a target.”